Skip to content

Low risk information disclosure in Sourcegraph

Low
andreeleuterio published GHSA-mq5p-477h-xgwv Aug 2, 2021

Package

No package listed

Affected versions

< 3.30.0

Patched versions

3.30.0

Description

Impact

Sourcegraph before version 3.30.0 has two potential information leaks. The site-admin area can be accessed by regular users and all information and features are properly protected except for:

  • Daily Usage statistics
  • Code intelligence uploads and indexes

It is not possible to alter the information, nor interact with any other features in the site-admin area.

Patches

The issue is patched in version 3.30.0 where the information cannot be accessed by unprivileged users. We may work on further defenses as defense-in-depth.

Workarounds

There are no workarounds and we recommend upgrading to the latest release.

For more information

If you have any questions or comments about this advisory:

Credit

Thanks to N. Shanmuga Bharathi for reporting this vulnerability through Sourcegraph's Bug Bounty Program.

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2021-32787

Weaknesses